This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 21%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hello,
Wanted to see who out there might have a useful tip as to how unique IP addresses can be identified when targeting a Receive Connector so we know what is using mail relay. Below is something I thought might work, but apparently it does not.
Variables:
$begintime = "8/28/2020 3:00 PM"
$logs = Get-ExchangeServer SERVER1 | Get-MessageTrackingLog -Start $begintime -ResultSize Unlimited
OR
$logs = Get-ExchangeServer SERVER1 | Get-MessageTrackingLog -Start $begintime -ResultSize Unlimited | ?{$.source -eq “SMTP” -and $.ConnectorID.contains (“Default Frontend SERVER1”) -eq $true -and $_.sender.contains(“Exchange”) -eq $false}
Queries:
$logs | Select-Object ClientIP -Unique
$logs | Select-Object Sender -Unique
Thanks,
CWT
Enable protocol logging on the Receive Connectors and then look through those logs instead
The Connector-ID will tell you which connector was used
P.S. You can use log parser to analyze.
Example: https://practical365.com/exchange-server/using-log-parser-protocol-logs-analyze-send-connector-usage/
and input the receive connector logs instead
Thank you both very much for your input. I think between the log parser and script provided on GitHub, we should have more than enough information to better understand what IPs are utilizing mail relay and to what connector they may be hitting. Have no idea why I cannot click accept answer for both replies as they both answer the question (would request that YukiSun gets credit as well).
Much appreciated :o)
CWT
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Great to know the information above was useful. Happy to have helped : )
As recommended by Andy, you can use protocol logging instead. I did some research and found a script from GitHub which can be used to get unique Sender IP Addresses from SMTP logs. The script was intended for Exchange 2010, but can be easily modified for other versions.
Check Exchange SMTP Logs To Get Unique Sender IP Addresses
I changed the LogFilePath to "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive*.log" and ran the script in my Exchange 2016 lab, the output file can be generated successfully with unique IP addresses. But I'd suggest testing with a small number of files first as it may take some time to processing the log files. (In my case there are about 600 log files and it took me almost 2 hours.)
If the response is helpful, please click "Accept Answer" and upvote it.